Virtualization@IBM

Blog Authors:
IBM Software Defined2700052JD4Virtualization+IBM2700039S5CNitin_Gaur12000056JBJean Staten Healy2700025BBUJohn_Foley0600026N82SamVanAlstyne110000DM6Balicia_wood270003DW0M
Virtualization combined with Integrated Service Management helps you
use your resources effectively, manage your infrastructures
efficiently and gain the flexibility to meet ever changing business
demands.
This blog is for the open exchange of ideas relating to
virtualization across the entire infrastructure. Articles written
by IBM's virtualization experts serve as conversation starters.
Topics can range from latest technologies for server consolidation
and tools for simplified systems management and monitoring to
automating IT systems to respond to changing business conditions and
cloud-based solutions for the "virtual" enterprise.

Over the past years x86 virtualization has become widespread through server consolidation and recently it is playing a role at the heart of cloud computing.KVM provides a virtualization solution with world-class performance together with the benefits of an open source platform. This post explains the key components of KVM and how they work together.

Hardware virtualization from Linux kernel

KVM is closely associated with Linux because it uses the Linux kernel as a bare metal hypervisor.A host running KVM is actually running a Linux kernel and the KVM kernel module, which was merged into Linux 2.6.20 and has since been maintained as part of the kernel.This approach takes advantage of the insight that modern hypervisors must deal with a wide range of complex hardware and resource management challenges that have already been solved in operating system kernels.Linux is a modular kernel and is therefore an ideal environment for building a hypervisor.

Full Linux hardware support for network cards, storage, and servers

Since KVM uses the Linux kernel, KVM works with network cards, storage adapters, and other hardware supported by Linux.This gives KVM excellent host hardware support that does not lag behind bare metal operating systems.

Hardware virtualization extensions provide secure and efficient way to run VM code on physical CPU

At the heart of KVM is a Linux kernel module which safely executes guest code directly on the host CPU.This is made efficient by hardware virtualization extensions, introduced in the mid-2000s by both AMD and Intel and available in almost all modern x86 processors. Virtualization extensions added a new mode of execution that allows unmodified guests to run without giving them full access to memory and other resources.

Device emulation in user space

While guest code executes directly on the host CPU in a safe manner, most I/O accesses are trapped instead of sending them directly to host devices.The guest sees an emulated chipset and PCI bus on which both emulated and pass-through adapters can be added.KVM features paravirtualized networking, storage, and memory ballooning drivers that improve efficiency of I/O and allow adjusting the amount of RAM available to a guest at run-time.

Runs with SELinux isolation

Device emulation is performed by the qemu-kvm user space process on the host. This allows the kernel module to stay lean and focus on the most performance-critical aspects while userspace device emulation emulates hardware devices in an isolated process outside of the host kernel.The sVirt feature locks down the qemu-kvm process with SELinux Mandatory Access Control so it can only access files and resources it needs and nothing more.

Secure remote management API

Management tools need to monitor and access guests that might be running on remote hosts or locally.This is done through a set of APIs and utilities that enable applications to manipulate guests and automate management tasks. Libvirt provide the language bindings and command-line utilities for developing applications and scripting common operations.

Each host runs the libvirt daemon, which provides secure remote management APIs but it can also be configured to serve locally only and not be visible over the network.The libvirt daemon maintains guest configurations across reboot and is the central point for setting up networking and storage pools.

Systems management can be added and uses libvirt API

Most administration is done with tools that use the libvirt API, especially the virsh command-line tool which presents guest and host management operations. The graphical virt-manager tool can easily manage local or remote guests. Third-party management tooling such as cloud stacks can be used for higher-level datacenter or cloud management and they typically integrate with libvirt.

Conclusion

This completes the short trip through KVM, starting from the core hypervisor which is implemented as a Linux kernel module, through the device emulation by qemu-kvm, and the secure remote management API provided by libvirt.To consumers of KVM, most functionality is abstracted behind the management tool but its architecture determines its key strengths including excellent performance and a constantly growing tools ecosystem.

When taking
advantage of virtualization to flexibly and conveniently manage workloads, a
new security model should be considered. In a traditional environment,
where a single operating system runs on it's own private hardware, the central
attack vector is through the network. However, in a virtualized
environment, where multiple guest operating systems are sharing the same host
operating system and hardware, the attack vector is not only external to the
system and through the network, but also internal from within the system.
In this post, we'll touch on a number of steps that can be taken to minimize
the security exposures presented in your KVM environment.

For more details on the
topics discussed below, please take a look at the KVM Security blue print
located at:
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=/liaat/liaatseckickoff.htm.
It contains a thorough discussion on these topics, including several
configuration examples.

Minimize vulnerabilities
by minimizing the TCB

The trusted computing base
(TCB) is the combination of hardware and software in a computer system that is
trusted to enforce security for the system. The TCB must be verified and
maintained regularly to make sure it is correct. A smaller TCB naturally
results in a smaller chance of having a bug in the TCB. Therefore, the
size of the TCB has a direct effect on the security quality of KVM. To
reduce the TCB, for example, you can turn off unused daemons and remove
unnecessary packages from the host operating system.

Separate host and guest
networks to protect the hostThe security of a KVM host can be increased by isolating the host network
from the network used for guests. Typically, users who access the host
are privileged while users who access guests are not privileged. This
separation not only isolates the host and guest operating systems, but also
works to prevent a malicious unprivileged user in a guest from attacking the
host operating system.

Prevent MAC address
spoofingA root user in a guest operating system can change the MAC address of its
network device. By enforcing a single MAC address for each guest network
device, MAC address spoofing can be prevented. Preventing MAC address
spoofing stops a rogue root user in a guest from masquerading as another guest.

Segregate network
traffic within a bridged networkA common KVM deployment employs a Linux network bridge, which enables
incoming and outgoing network traffic to and from guests. In order to
provide data separation and security between network traffic within the bridged
LAN, the network bridge can be extended to employ VLAN tagging. VLAN
tagging can be deployed to filter traffic, where packages arriving at a
particular VLAN that do not carry a specific VLAN ID tag can be filtered out.

Isolate virtual machines
from each othersVirt is a libvirt technology that combines NSA-developed SELinux
technology with KVM to provide Mandatory Access Control (MAC) guest
isolation. Mandatory Access Control provides security controls that a
subject cannot override. The MAC security provided by sVirt limits a
guest process to accessing only the data (image files) that belong to it.
sVirt is available out of the box on Red Hat Enterprise Linux (since RHEL 4)
where SELinux is enabled by default.

Be sure that storage
devices are secureWhen storing guest disk images in a non-default location, it is important
to enable the same directory and file permissions, and the same SELinux labels,
as those that protect disk images stored in the default (/var/lib/libvirt/images)
directory. Additionally, if you plan to store guest disk images on an NFS
mount, it is important to understand that NFS does not support file labels, and
therefore does not support sVirt isolation of guest image files.

Perform secure remote
managementWhen performing remote management, the client and server should first be
authenticated and data that is transmitted over the wire should be encrypted
whenever possible. With the exception of Spice, or accessing the VNC
console with a tool other than virt-viewer (where communication is directly
with KVM), all guest management is performed through libvirtd daemon clients
such as virsh, virt-viewer, and virt-manager. When using these clients
remotely, data can be transmitted via secure encrypted connections such as SSH
tunnels or secure TLS. In addition to encryption, TLS provides
authentication capabilities. virsh also supports SASL authentication and
encryption. If accessing the VNC console with a tool other than virt-viewer,
connections can be initiated with SSH encryption.

Spice
can be used to provide high-quality remote access to KVM and supports OpenSSL
authentication and encryption. Spice is not described in the KVM Security
blue print that was referenced earlier in this post. For more information
on Spice, see: http://www.spice-space.org/.

Limit virtual machine
resources with control groups (cgroups)Control groups (cgroups) can be used to limit the resources (such as
processing power, memory, disk, and networking bandwidth) that a guest
operating system can consume. This is an important feature that can
prevent a breached guest from over-consuming resources and causing a
denial-of-service situation.

Protect data at rest
with disk-image encryptionAll images belonging to a guest that is not running should be
encrypted. If an attacker were to compromise the host, encryption of data
at rest would help prevent an offline attack.

Audit host and guests to
obtain valuable forensic informationIt is important to track host and guest changes and interactions at all
times, in case a security breach does occur. By auditing host and guests,
valuable forensic information can be tracked on an ongoing basis.

When
running a virtualized environment, security is a critical part of the solution
that cannot be overlooked. So be sure to evaluate and consider all of
security features mentioned above before deploying KVM.

Twenty years ago, who would have thought Linux would evolve into the biggest collaborative development project in the history of computing?In 2000, IBM announced a $1 billion dollar investment in Linux, taking the technology from a very successful science project to a major force in business IT. Not only was this a turning point for Linux and the Linux community, it was also a pivotal moment in IBM's history. This investment was one of the first times IBM made a decision to embrace open source software and make it core to its business strategy.

IBM's involvement and significant investment in Linux has allowed IBM to take on a leading role in the advancement of open source technologies, offering its clients choice, lower costs and interoperability.Most recently, IBM helped found the Open Virtualization Alliance to further customer adoption of open source virtualization technologies such as KVM the Linux-based hypervisor.

As IBM celebrates its Centennial this year,this investment in Linux remains one of the key moments in IBM's history (read more about that in the IBM 100 Icons of Progress article “Linux: The Era of Open Innovation") And Linux, continues to be a fundamental component of IBM business—embedded deeply in hardware, software, services and internal development.

IBM is not the only one celebrating an anniversary this year.The Linux Foundation is officially celebrating 20 years of Linux (#linux20th) this week at LinuxCon North America in Vancouver August 17-19, 2011.

IBM is Platinum Sponsor of LinuxCon North America.Key contributors from the IBM Linux and KVM development and strategy teams are heading to LinuxCon for a variety of activities including:

Keynote by Dr. Irving Wladawsky-Berger, Chairman Emeritus IBM Academy of Technology, delivers a retrospective and opinion on the future of Linux.

IBM moderated panel consisting of IBM clients RiceUniversity and GHY using Linux on POWER, and TELUS using Linux on System z

As we enter an era of Smarter Computing, IT organizations are facing exploding demand. Data is more than doubling every two years and new services with greater quality are requested. All this, on budgets that on average grow less than one percent per year.

As IT organizations learn how to do more with less, virtualizing servers, storage and networks can help them achieve a simpler, more scalable and cost-efficient IT infrastructure. Proper management of the virtualized infrastructure also improves the speed of deployment of new services. The road to improved business agility has four distinct stages that range from securing IT efficiency in the consolidation stage, to gaining business effectiveness in the optimize stage.

Companies frequently start by virtualizing servers. This can deliver immediate benefits from lower capital expense and reduced energy costs: For example, Edith Cowan University in Australia consolidated a large, distributed, older infrastructure of systems and storage into an end to end, cost effective solution using virtualization on IBM System x. They reduced their physical server count from 600 to 100, achieved significant savings in power and cooling, and freed up administrator time for higher value projects.

Further benefits are available by using IBM Systems Director to manage physical and virtual resources across the entire IBM Systems portfolio (System x, Power, System z, storage, networking) and across multiple virtualization environments (KVM, VMware, etc.). Companies who have implemented Systems Director achieve important savings such as reducing server management costs by up to 34 percent. And using additional tools from IBM Tivoli, IT administrators can deploy new workloads and services more rapidly across IBM and non-IBM environments.

The virtualization journey offers a solid foundation for cloud computing. Clients like China Telecom Jiangxi (.pdf) rely on IBM’s virtualization solutions and expertise to achieve the flexibility and economic benefits of Smarter Computing. Using IBM Power servers, IBM PowerVM and IBM Systems Director VMControl, China Telecom Jiangxi created cloud landscapes and managed pools of virtual systems. They used the IBM SAN Volume Controller (SVC) to virtualize and manage storage. With this IBM solution, they reduced time to market for new offerings from months to days, improved utilization, cut hardware costs by over 50 percent, and reduced power requirements and CO2 emissions.

IBM also provides clients choice, by supporting open source virtualization technologies such as KVM that are cost effective, and offer enterprise-class performance and scalability. In May, IBM helped found the Open Virtualization Alliance, an industry consortium focused on driving market adoption of KVM and fostering an ecosystem of KVM based solutions. Since then, more than 170 members have joined, many of them virtualization, datacenter and Cloud solution providers. This fast pace of enrollment illustrates the excitement we see in the industry around KVM, and the customer demand for an open alternative in virtualization.

IBM’s virtualization solutions are a critical factor of Smarter Computing and the foundation for cloud computing, helping to improve business agility and staff productivity. IBM consistently demonstrates the economic benefits of virtualization on our range of server and storage platforms, and with that addresses the biggest challenges that CIO’s and IT architects face today.

Why IBM SONAS?

As dependencies on today’s enterprise business computing increase, ensuring that applications are highly reliable becomes more critical. Constant outpouring of data by various day to day enterprise business applications has new storage challenges for today’s enterprise business IT environment.

The VMware vSphere makes it simpler and less expensive to provide higher levels of availability for mission-critical enterprise business applications.

The IBM Scale Out Network Attached Storage (SONAS) provides extreme scale out capability, with a globally clustered network-attached storage (NAS) file system built upon IBM General Parallel File System (IBM GPFS).

The IBM SONAS is the best in class storage solution that provides performance, clustered scalability, high availability (HA), and functionality that are the essential demands for enterprise IT virtual infrastructure.

Integrated VMware vSphere and IBM SONAS virtual IT infrastructure, meets the demand of high availability and massive scalability in terms of performance and storage capacity of enterprise IT virtual infrastructure.

Some of the key aspects of an effective high-availability virtualized infrastructure include:

Operational efficiency and management simplicity

Cost effectiveness

Architectural simplicity

High scalability

High performance

Resiliency and flexibility

VMware vSphere provides uniform, cost-effective failover protection against hardware and software failures within an enterprise virtualized IT environment with VMware high availability and fault tolerance features.

The traditional NAS filers do not scale to high capacities. When one filer was fully utilized, a second, third, and more filers were installed. As a result enterprise business IT administrators very often find themselves in the managing silos of filers. Capacity on individual filers could not be shared. Some filers were heavily accessed while others were mostly idle.

The SONAS system is available in as small a configuration of 27 terabytes (TB) in the base rack, up to a maximum of 30 interface nodes and 60 storage nodes within 30 storage pods. The storage pods fit into 15 storage expansion racks. The 60 storage nodes can contain a total of 7200 hard disk drives when fully configured using 96-port InfiniBand® switches in the base rack. The SONAS advanced architecture virtualizes and consolidates multiple filers into a single, enterprise-wide file system, which can translate into reduced total cost of ownership, reduced capital expenditure, and enhanced operational efficiency.

Assuming 2 TB disk drives with fully configured SONAS system can scale up to 14.4 petabyte (PB) or raw storage and billions of files in a single large file system. SONAS system can have as few as eight file systems in a fully configured 14.4 PB or as many as 256 file systems. IBM SONAS provides:

An interconnected cluster of file-serving and network-interfacing nodes in a redundant high-speed data network

Virtually no capacity limits

Virtually no scalability limits

Support of the cloud environment. A controlled set of end users, projects, and applications can perform the following functions:

Share files with other users within one or more file spaces

Control access to their files using access control lists (Microsoft® Windows® clients) and user groups

Manage each file space with a browser-based tool

Integrating VMware HA and VMware FT technologies and petabyte scale IBM SONAS offers one of the best in class value proposition. The combination of VMware vSphere and petabyte scale IBM SONAS provides a simple and robust high availability solution for planned and unplanned downtime in a virtual enterprise IT data center environments hosting mission-critical applications.

For more information on IBM SONAS powered virtual IT infrastructure please read following technical reports: